SSH Authentication Using Hosted RADIUS

In this post, we will show how simple it is to configure your Linux server to use credentials stored in your cloud RADIUS.

Firstly, install necessary development tools so we can compile the authentication module.

CentOS:

yum install gcc pam pam-devel make -y

Ubuntu:

apt-get install make libpam0g-dev

After it’s finished, we will download the source code of the pam_radius package from the original FTP server.

wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz

Untar it, move to its directory and compile it:

tar xvzf pam_radius-1.3.17.tar.gz
cd pam_radius-1.3.17
make

A new file called “pam_radius_auth.so” should be created.

In CentOS and if you are on the x86_64 arch, copy this file to /lib64/security folder. If you are still on the x86 arch, you want to copy this file to /lib/security/ folder.

On Ubuntu copy the pam_radius_auth.so file to /lib/x86_64-linux-gnu/security/.

Now open up /etc/pam.d/sshd and add the pam_radius_auth.so just before the top line like below in CentOS:

CentOS:

#%PAM-1.0
auth required pam_sepermit.so
auth sufficient pam_radius_auth.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth

In Ubuntu we open up /etc/pam.d/sshd and add the pam_radius_auth.so line at the very top like below, in Ubuntu we also need to comment this line @include common-auth to look like this #@include common-auth, see below: